Maine DOE Takes Security Steps

Security review and delay in data submission aim to bolster confidence in system

AUGUSTA – The Maine Department of Education announced today that it is taking several immediate steps to strengthen public confidence in its student and staff data information systems. These include an independent review of the security of these systems, and a decision to delay submission of student Social Security numbers to the state until after they have had a chance to review the security report.

The steps are being taken as the voluntary collection of student Social Security numbers has become controversial in some Maine communities as privacy advocates have expressed concerns about the security of the information and because the Department learned in the past few days of an error within a secondary data system not connected to the collection of student information. The error, which was discovered and immediately fixed, affected information in the Staff Module of the State Edition of the Infinite Campus information system, and allowed authorized users of the system to see information there that should have been restricted. The Staff Module is separate from all other modules in the database and is in the final stages of development and not scheduled to be used for staff data collection until the Fall of 2011.

“The Department of Education will release the findings of the independent review, with specific recommendations for how to proceed in the most secure way,” said Education Commissioner Angela Faherty. It is anticipated the review will be completed in the next several weeks.

The error that was discovered on Friday was found by a technology director for a Maine school system, whose job duties include managing student and staff data in Infinite Campus. The technology director informed the Department that he was able to view Social Security numbers for some school staff in other school systems in the state. The Department was able to identify the problem that day and immediately restrict access to the information.

The Department immediately put in place the following changes:

The Department has turned off the synchronization function in the Infinite Campus District Edition so that no locally-entered data can be shared with or viewed by the state or any other user. In addition, we will also delete any student Social Security numbers that have been entered or uploaded into the State system as a result of synchronization so far this year.

At the Department’s request, the State’s Office of Information Technology will immediately engage an outside contractor to conduct an independent security review to verify the integrity of the state’s Staff Module where the error occurred, and to further verify that the student data system is secure.

The Department will delay collection of student Social Security numbers at this time as part of the October 1 data collection. Districts will be provided a software script that allows them to upload student enrollment data without Social Security numbers. Districts should continue to securely hold the Social Security number data they have already collected for later submission.

“We deeply appreciate that this technology director immediately recognized the issue and called the Department to inform us of the error and it was resolved immediately,” Faherty said. “The Department takes the security of private information seriously, and supports school boards, parents and school officials in their caution with respect to the collection of data.”

Only people with authorized access to Infinite Campus had access to the system, and the Staff Module of the Infinite Campus State Edition is separate from all other modules in the database. The staff module is in the final stages of development and not scheduled to be used by the state for staff data collection until the Fall of 2011.